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Sir: 

This is an appeal from the Examiner's Final Rejection dated September 14, 2006 of 
Claims 1,3, and 5. A Notice of Appeal was filed on March 13, 2007, together with a 
Request for three-month extension of time. 

I. REAL PARTY IN INTEREST 

The real part in interest is OTKRYTOYE AKTSIONERNOYE OBSCHESTVO by 
virtue of the assignment recorded at Reel/Frame 011071/0187-0188 in this application on 
August 23, 2000. 

05/09/2087 DEflHflNUl 00800184 09622047 
II. RELATED APPEALS AND INTERFERiENCES 500.09 OP 



Appellants, Appellants' representative and their assignee are not aware of any other 
appeals or interferences which will directly affect or be directly affected by or having a 
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bearing on the decision of the Board of Patent Appeals and Interferences ("Board") in this 
appeal. 

IIL STATUS OF THE CLAIMS 

The appealed claims are Claims 1, 3, and 5, which are currently pending in this 
application. Claims 1, 3, and 5 stand rejected under 35 U.S.C. § 102 (b) as allegedly being 
anticipated by Schneier (Bruce Schneier, Applied Cryptography, 1996, John Wiley & Sons, 
pages 270 - 273, copies are enclosed in the Evidence Appendix). A copy of the claims on 
appeal appears in the attached Claims Appendix. 

IV. STATUS OF AMENDMENT 

The pending claims were not amended in the Response to the Final Rejection filed 
on January 5, 2007. 

V. SUMMARY OF THE CLAIMED SUBJECT MATTER 

The present invention is related to cryptographic methods for encrypting data that 
can be used in the fields of electronic communication and computer technology. According 
to the known methods, the block data encryption is achieved by generating an encryption 
key in the form of a plurality of subkeys, splitting data block into subblocks, and alternately 
convert the data subblock by using a cyclic offsetting operation, modulo 2 addition 
operation, and modulo 2"'^ addition operation. The subkeys are used according to a fixed 
schedule. The subkey is independent of the data block. In the U.S. standard DBS (National 
Bureau of Sdtandards, Data Encryption Standard Federal Information Processings Standard 
Publication 46, January 1997), the data sublocks are converted according to a secret key 
control. In this method, at some fixed encryption round number, a fixed subkey is used for 
all data subblocks. These methods have many drawbacks, such as low encryption rate and 
insufficient resistance to differential and linear cryptanalysis (see pages 1 - 2). The present 
invention provide a method for block encryption of discrete data, comprising the steps of: 
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generating an encryption key in the form of a set of subkeys, breaking down a data block 
into N > 2 data subblocks and alternately converting said data subblocks by performing a 
two-place operation on the data subblock and the subkey, wherein, prior to carrying out 
said two-place operation on an i-th data subblock and a subkey, an operation of permuting 
subkey bits is performed on the subkey depending on the value of a j-th data subblock, 
where i ^ j (see pages 3, Examples 1 - 3 on pages 5-11, Figs. 1 - 6, Claim 1). In addition, 
according to the claimed method, an operation of cyclic offsetting subkey bits depending 
on the value of the j-th data subblock is used as the j-th data subblock-dependent operation 
of permuting subkey bits (see Claim 3, Examples 1 - 3 on pages 5-11, Figs. 1 - 6). 
Furthermore, according to the claimed method, the operation of permuting subkey bits is 
performed on one of said set of subkeys depending on the value of the j-th data subblock, 
where i^j, and the value of another subkey (see Claim 5, Examples 1 - 3 on pages 5-11, 
Figs. 1 - 6). The claimed methods overcome the drawbacks of the known methods (see 
page 12). 

VL GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL 

Whether Claims 1, 3, and 5 are properly rejected under 35 U.S.C. § 102 (b) as being 
anticipated by Schneier (Bruce Schneier, Applied Cryptography, 1996, John Wiley & Sons, 
pages 270 - 273). 

VIL ARGUEMENT 

Claims L 3, and 5 Are Not Anticipated by Schneier Reference Because It Does Not Teach 
or Su22est All the Limitations of These Claims 

The final rejections of the application are based on 35 U.S.C. 102 (b). According to 
the U.S. patent law and according to MPEP 2131, "A claim is anticipated only if each and 
every element as set forth in the claim is found, either expressly or inherently described, in 
a single prior art reference." Verdegaal Bros, v. Union Oil Co. of California, 814 F.2d 628, 
631, 2 USPQ2d 1051, 1053 (Fed. Cir. 1987). 
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In the Final Office Action, the Examiner indicated that Schneier discloses key bit 
permutation operation depending on the data being converted. The issue is how to correctly 
interpret the disclosure of Schneier by a person of ordinary skill in the art. 

Applicant respectfully submits that, Schneier, when describing algorithm DES (US 
Data Encryption Standard), does not disclose any feature of converting a subkey depending 
on data being converted. Fig. 12.1 of Schneier shows a general diagram of data conversion 
in accordance with the encryption algorithm DES, which includes 16 rounds of conversion. 
In each round of conversion, based on a right subblock R and subkey K, function /=/ (R, 
K) is calculated, after which a left subblock L is converted by performing on it the 
operation XOR: L\= L®f{R, K), where =" is the designation of assignment operation. 
Between the preceding and subsequent encryption rounds, the subblocks are transposed 
(swapped). Thus, it is important to ascertain, how conversion / (R, K) is performed. In the 
Examiner's view, in calculating/(/?, K), the operation of permuting subkey bits depending 
on data being converted is used. However, Applicant's detailed study of Schneier has 
shown that this is not the case. More specifically, Schneier shows that the procedures of 
calculating the function /(/?, K) includes consecutive performing the following operations: 

operation of broadening L 32-bit data subblock to X broadened 48-bit data 

subblock; 

conversion of the broadened subblock by means of its addition with 48-bit 
subkey X \ = X ® K (before this step, no conversions depending on the data 
block being converted have been performed on this round subkey, i.e. no 
permuting subkey bits depending on data has been performed); 
performing a cascade of substitution operations of 6x4 size implementing the 
substitution operation 56x4, as a result of which the broadened 48-bit subblock is 
converted into 32-bit binary vector Z : Z = 86x4 (X); 

performing the transmutation operation /* which consists in a fixed permutation 
of the vector Z bits, i.e. permutation of the vector Z bits is performed 
independently of the value of some data subblock but always in the same 
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manner, as prescribed by the Schneier reference. After performing operation P, 
the value off{R, K) is obtained, i.e. we have/(/?, K) = P(Z), 

The above detailed operations have revealed that, in forming the value of/(i?, K) in 
the DES algorithm, the operation of permuting subkey bits depending on data being 
converted is not used. The vector Z bit transmuting operation performed in the cited 
method of block encryption (algorithm DES) is fixed and is performed regardless of data 
being converted. Schneier confirms this by describing the operation P in the section "The 
P-box permutation". 

The Applicant has also studied the procedures of working-out round subkeys Ki, 
K2, K!6. According to Schneier, round keys Kj, K2, K}6 are generated by means of 
converting a secret key, on which an operation of fixed transmuting key bits is performed, 
which depends on the round number but does not depend on data subblock being 
converted. For a given round, this operation of transmuting key bits is the same for all 
different datablocks being converted. Following the above fixed key bit transmutation, a 
fixed compressing key bits transmutation is performed, a result of which is this value of the 
current round subkey. Fixed compressing key bits transmutation does not depend on the 
data subblock being converted and remain always the same. Thus, the procedures of 
forming round keys of DES algorithm also lacks the feature of "prior to carrying out said 
two-place operation on an i-th subblock and a subkey, an operation of permuting subkey 
bits is performed on the subkey depending on the value of a j-th data subblock, where i 

Thus, the Examiner has incorrectly interpreted the conversion operation / appeared 
on page 270 and in Fig. 12.1 of Schneier as an operation of permuting bits of subkey K}. In 
fact, the conversion operation / is not a permutation operation. This is further supported by 
the following evidence. 

The number of "one" bits and the number of "zero" bits in a binary vector produced 
as a result of combined conversion of subkey Ki and data subblock Rq (page 270 and Fig. 
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12.1) is typically not equal to the number of "one" and "zero" bits in either subkey Kj or in 
data subblock Rq. However, as a result of performing the operation of bit permutation, the 
number of "one" bits and the number of "zero" bits in the output binary vector is always 
equal to the number of "one" bits and the number of "zero" bits, respectively, in the input 
binary vector. This is because, in performing the operation of permutation, the bits are 
permuted but not inverted. The fact that the conversion operation / is not an operation of 
permutation, is also supported by B. Schneier, A. Menezes (see page 225 of Menezes A. J., 
Vanstone S.A., Handbook of Applied Cryptography, CRC Press, 1996, previously 
submitted in the response filed on August 22, 2006 and hereby enclosed in the Evidence 
Appendix) and J. Buchmann (see page 131 of Buchmann J. Introduction to Cryptography, 
Springer- Verlag, New York, Berlin, 2004, previously submitted in the response filed on 
August 22, 2006 and hereby enclosed in the Evidence Appendix). 

In addition, Schneier does not explain nor describe that the conversion operation /is 
a permutation operation. In Fig. 12.1, Schneier presents a general scheme of conversions of 
algorithm DES as a sequence of performing sixteen typical conversion rounds and 
designates one conversion round as the conversion operation / Then, in Fig. 12.2, Schneier 
discloses elementary operations constituting each round. Schneier detailed elementary 
operations constituting the conversion operation / in the sections immediately following 
page 270 and Fig. 12.1, such as the section of "The Expansion Permutation" on page 273. 
Because this section immediately follows the description of the general scheme of the 
make-up of algorithm, Schneier clearly does not indicate that this section describes 
consecutive elementary operations, which specify the conversion operation / Apparently, 
this circumstance misled the Examiner. The fact that the conversion operation / in 
algorithm DES is a composite operation and includes a sequence of elementary conversion 
operations, follows from the description of DES provide also in the widely known 
document — Menezes (see Menezes A.J., Vanstone S.A., Handbook of Applied 
Cryptography, CRC Press, 1996), on page 255 (Figs. 7.10)(copy enclosed in Evidence 
Appendix). The document Menezes clearly discloses that peforming the conversion 
operation /is a sequence of the following elementary operations: i) subblock i?/./ expansion 
operation (e.g. of subblock Ro), ii) modulo 2 bit-by-bit summation operation performed on 
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an expanded data subblock and subkey Ki (e.g. subkey Kj), iii) substitution operation 
performed on the result obtained at the output of the preceding operation, and iv) fixed bit 
permutation operation. Here, the fixed bit permutation operation does not depend on any 
data subblock being converted. The same fixed bit permutation is performed for all 
possible input data in a given round when performing the operation / at step iv). The 
document J. Buchmann also indicates that the conversion step operation / used in algorithm 
DES consists of the above elementary operations i), ii), iii) and iv), on page 131 
(Buchmann J. Introduction to Cryptography, Springer- Verlag, New York, Berlin, 2004, 
copy enclosed in Evidence Appendix). Therefore, the conversion operation / is not a bit 
permutation operation and does not include any bit permutation operation dependent on a 
data subblock. Accordingly, algorithm DES does not anticipate the claimed invention. 

Furthermore, although page 270 of Schneier indicates that "The right half of the 
data is expanded to 48 bits via an expansion permutation, combined with 48 bits of a 
shifted and permuted key via an Xor one of ordinary skill in the art cannot conclude 
from this reference that a bit permutation operation was previously performed on the 
subkey depending on some data subblock being converted. On page 272 and in section 
"The Key Transformation", Schneier discloses, what bit permutation operation was 
performed on the subkey: "First, the 56-bit key is divided into two 28-bit halves. Then, the 
halves are circularly shifted left by either or two bits, depending on the round." Thus, in 
algorithm DES, the bit permutation operation is performed on the key by depending on 
the number of the round, but not on the data subblock, i,e, algorithm DES lacks the 
feature of performing the subkey bit permutation operation depending on the data 
subblock being converted , that is presented in the claimed invention. 

The Examiner has established a connection between a fixed permutation performed 
on a key to form the predetermined encryption round and the data block which is converted 
at the predetermined encryption round. Applicant respectfiilly disagrees with such 
interpretation of DES encryption algorithm that is well known to a person of ordinary skill 
in the art, since Schneier does not describe such an operation, because it is not used in DES 
algorithm. A connection arbitrarily established by the Examiner between the round key, 



7 



Appl. No. 09/622,047 
Appeal Brief 



Attorney Docket: P65855US0 



e.g., for the i-th round, and the subblock value at the i-th round does not relate to the 
technical content of the conversion procedures and operations used in DES algorithm as 
understood by a person of ordinary skill in the art. 

The fact that, in DES algorithm, round keys are formed regardless of data 
converted, is supported by the following obvious facts: 

1. Independently of data converted, at each predetermined encryption round, the 
same round key is used. 

2. All round keys can be calculated in advance, i.e. before the point when a data 
block for encryption will be selected for encryption with the DES algorithm. 

These facts are supported by well-known literature references describing DES algorithm, 
such as those enclosed in Evidence Appendix. These references describe the procedure of 
forming DES round keys as an independent one and not depending on data converted. A 
person of ordinary skill in the art who is familiar with block encryption methods can 
confirm this position. Thus, in algorithm DES, the bit permutation operation is performed 
on the key depending on the number of the round and not on the data subblock. i.e. the 
feature of performing the subkev bit permutation operation depending on the data subblock 
being converted , that is present in the claimed invention, is novel. 

Therefore, the currently presented claims are not anticipated by Schneier and the 
rejection under 35 U.S.C. § 102 (b) has been overcome. Accordingly, withdrawal of the 
rejection under 35 U.S.C. § 102 (b) is respectfully requested. 



Washington, D,C. 20004 

Enclosed: 

CLAIM APPENDEX 

EVIDENCE APPENDIX 

RELATED PROCEEDING APPENDEX 



Respectfully submitted, 



JACOBSON HOLMAN PLLC 



Date: May 8, 2007 

(202) 638-6666 

400 Seventh Street, N.W. 
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VIII. CLAIM APPENDEX 



Claim 1 (previously presented): A method for block encryption of discrete data, 
comprising the steps of: generating an encryption key in the form of a set of subkeys, 
breaking down a data block into N > 2 data subblocks and alternately converting said data 
subblocks by performing a two-place operation on the data subblock and the subkey, 
wherein, prior to carrying out said two-place operation on an i-th data subblock and a 
subkey, an operation of permuting subkey bits is performed on the subkey depending on 
the value of a j-th data subblock, where i ^ j. 

Claim 2 (cancelled) 

Claim 3 (previously presented): The method according to claim 1, wherein an 

operation of cyclic offsetting subkey bits depending on the value of the j-th data subblock 
is used as the j-th data subblock-dependent operation of permuting subkey bits. 

Claim 4 (cancelled) 

Claim 5 (previously presented) The method according to claim 1, wherein the 
operation of permuting subkey bits is performed on one of said set of subkeys depending 
on the value of the j-th data subblock, where i ^j, and the value of another subkey. 
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IX. EVIDENCE APPENDIX 

1. Bruce Schneier, Applied Cryptography, 1996, John Wiley & Sons, pages 270 - 273, 
cited by Examiner in Office Actions mailed on October 19, 2005 and September 14, 
2006; 

2. Menezes A.J., Vanstone S.A., Handbook of Applied Cryptography, CRC Press, 
1996, page 225, submitted by Applicant in Response filed on August 22, 2006 in 
response to Office Action of May 23, 2006; 

3. Buchmann J. Introduction to Cryptography, Springer- Verlag, New York, Berlin, 
2004, page 131, submitted by Applicant in Response filed on August 22, 2006 in 
response to Office Action of May 23, 2006; 
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n 1911 the algorithm was recertified fc^ar^ther ^ yei lUSOK Software imple- 
Anyone want to guess what will happen in 1998. 

12 2 Description of DES 

OHS is a bloc, ciphe. i. ''^lf';j::^:^^%^,^'J^ott^r 
goea in one end of the 'leondim^d.^ba block o^c^ ^ 1^^^ 

end. DES is a symmetnc '"f '^*"J°,"™SS°„„s in the key schedule), 
encryption and d-'W''- '"^"^^^ - ' ^^-W' 

easily be avoided All security ^'^^^^-T^^^^ ,Han a combinarion ol the two 
At its simplest level, the algolithin '^ ""'^e ^he fundamental building 

basic techniques of encrypuon. ^""^^r ,1 substitution followed by 

block of DES is a single combmation of these K^'l" ^ pES has 16 

•'^?e'SX\s^:Us.an^tdarit^^^^^ 

64 bits at most, so it was easily ^^Pl^"^^^'^''/.''. if., ^se on a special-purpose 
3:rSS~ ::?:i:^t'b!^ c"u.en. implementations 

are better. 

r:p~?rrb.^^^^^ 

block is broken into a right ^ l^^^^^^^^^^ are combined 

rounds of identical operations, halves are joined, and a 

with the key. After the ^-^-^^^^^^^^^^ off the algorithm, 

finalpermutation the mverse of the u^^^^^^^ ^ ^^^^ 48 bits are 

In each round see Figure 12 2), the ^ey du& expanded to 48 bits 

selected from the 56 bits of the key Jhe nght hf o^^^^^^^^ 
via an expansion permutation combmed wi^48^^^^^^^ P^^^^^ 
via an XOR, sent through 8 S'boxes pro^^^^^^ ^ ^^^^ 

These four operations make 

left haAhese operations are 
repeated 16 times, making 16 rounds of DES. ^ ^ 
isl^'S^-kS'fotl^n? 

pelSuti aXlUng with the key, then a round looks hke: 
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Figure 12.1 DES. 
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The Initial Permutation 

The initial permutation occurs before round 1; it transposes the input block as 
described in Table 12. 1 . This table, Uke all the other tables in this chapter, should be 
read left to right, top to bottom. For example, the initial permutation moves bit 58. 
of the plaintext to bit position 1, bit.50 to bit position 2, bit 42 to ^it position 3, and 

so forth. . • , , . J ■ ^ u t- 

The initial permutation and the corresponding final permutation do not attect 
DES's security. (As near as anyone can tell, its primary purpose is to make it easier 
to load plaintext and ciphertext data into a DES chip in byte-sized pieces. Remem- 
ber that DES predates 16-bit or 32-bit microprocessor busses.) Since, this bit->vise 
permutation is difficult in software (although it is trivial in hardware), many soft- 
ware implementations of DES leave out both the initial and final permutations^ 
While this new algorithm is no less secure than DES, it does not follow the DES 
standard and should not be called DES. 
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Figure 12.2 One lound of DES. 



The Key Transformation 

InitiaUy the 64-bit DES key is reduced to a 56-bit key by ignoring every eighth bit. 
This is described in Table 12.2. These bits can be used as parity check to ensure the 
key is error-free. After the 56-bit key is extracted, a different 48-bit subkey is gener- 
ated for each of the 16 rounds of DES. These subkeys. K„ are determined in the fol- 
lowing manner. , , , 

First, the 56-bit key is divided into two 28-bit halves. Then, the halves are circu- 
larly stiifted left by either one or two bits, depending on the round. This shift is 
given in Table 12.3. 



Table 12.1 

I mtial Permutation ^ 

58, 50, 42, 34. 26, 18, 10. 2. 60, 52, 44, 36, 28. 20, 12, 4, 
62, 54, 46, 38, 30, 22, 14, 6. 64, 56, 48. 40, 32, 24, 16. 8, 
57, 49. 41. 33. 25. 17. 9. 1, 59. 51. 43. 35. 27, 19, 1, 3, 
61, 53, 45, 37. 29. 21. 13. 5. 63. 55. 47. 39. 31, 23, 15, _7 
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Table 12.2 

Key Permutation 

57, 49, 41, 33, 25, 9. 1, 58, 50, 42, 34, 26, 

10 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36, 
63! 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22, 
14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20. 12, 4 



After being shifted, 48 out of the 56 bits are selected. Because this operation per- 
mutes the order of the bits as well as selects a subset of bits, it is called a compres- 
sion permutation. This operation provides a subset of 48 bits. Table 12.4 defines the 
compression permutation (also called the permuted choice). For example, the bit in 
position 33 of the shifted key moves to position 35 of the output, and the bit in posi- 
tion 18 of the shifted key is ignored. 

Because of the shifting, a different subset of key bits is used in each subkey. Each 
bit is used in approximately 14 of the 16 subkeys, although not all bits are used 
exactly the same number of times. 

TTic Expansion Permutation 

This operation expands the right half of the data, Ri, from 32 bits to 48 bits. 
Because this operation changes the order of the bits as well as repeating certain bits, 
it is known as an expansion permutation. This operation has two purposes: It makes 
the right half the same size as the key for the XOR operation and it provides a longer 
result that can be compressed during the substitution operation. However, neither 
of those is its main cryptographic purpose. By allowing one bit to affect two substi- 
tutions, the dependency of the output bits on the input bits spreads faster. This is 
called an avalanche effect. DBS is designed to reach the condition of haviug every bit 
of the ciphertext depend on every bit of the plaintext and every bit of the key as 
quickly as possible. 

Figure 12.3 defines the expansion permutation. This is sometimes called the E- 
box. For each 4-bit input block, the first and fourth bits each represent two bits of 
the output block, while the second and third bits each represent one bit of the out- 
put block. Table 12.5 shows which output positions correspond to which input posi- 
tions. For example, the bit in position 3 of the input block moves to position 4 of the 
output block, and the bit in position 21 of the input block moves to positions 30 and 
32 of the output block. 

Although the output block is larger than the input block, each input block gener- 
ates a unique output block. 



Table 12.3 
Number of Key Bits Shifted per Round 



Round 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 
Number 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1 
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Figvure 7.10: DES hmerftmction f. 



7.83 Algorithm DES key schedule 

INPUT: 64-bll key A' = Jti . - - fcw (including 8 odd-pariiy bils). 
OUTPUT:sixlccn48-bUkeya/Ci.l <i< 10- « ^ , 

n.n». i< 16 as follow.: vc^l for i € {l.^S.16};.. = 2 od.erw.se. 

(Th(a« art Icfi-shifi values for 28-bil circular roiauons UIo^^ 
2. rTpCl(Jr);icprcscmTas2R-b5ihalvcs(Ci>.£>o)-tUscPCl In Table 7.4 10 select 

' bits from K: Co = ^7^10 • • • ^30. Do =" fcoafess - • j^ ) . „ _ , n ^ 

3 Far i fiom I to 16, compute Id ta follows: C, *- (C'i-i D* <- (Di- i 

" « Wr- <- PC2(Cr (Use PC2 in Table 7.4 to select 48 bits from the concatena- 
U on . . . bao of Q and A: i^Tj ° bM&iT denotes left circular shin.) 

If decryplion is designed as a simple variation of ihc encrypUon funcUon, savings resuil 
in hardware or software code size. DES achieves this as ouUined in Note 7.84. 

7.84 Note (Z>£Sdeci5ptf<>n)DESdecorptionconsis.softheencrypti^ 

key but reversed tavscbedule.,ushig in order J^w.if«,^ ™3 
wod« as^Uows cSfer to Bgure 7.9). The effect of IP-^ is cancelled by IP m (kcryp- 
tioo. leaving {Jl,e , Lis): consider applying round 1 » Ms inpuL TT>e operadon on the left 

half yields T«her than Xo©/(Jlo.li:i), ^^^^ f T- 1' -^m 

andiia = Z>is©/(ili5,/<'lo).is equal 10 L^^9nRi9,Kie)9f{Ri^J<iB) = ^Jus 
Sund Y decS^Uon yiS^ C^U li.s). i-C inverting round 16. Note thai the cancellauoa 
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5. 2. DESAlg>rithm l^l 



r ® ® ® ® ^ ^ .a 

j^Cl I G I O j C* I Ca I C6 I C7 i c» 



1 



FIGURE 5.1 The /"-function of DES. 

is computed with B,- e {0, 1}^, 1 < i < 8. In the next step, functions 

. SiMO.l}"-^ {0,l}^ l<i<8 
are used (the so-called S-boxes). They are described below. Using 
those functions, thft string 

C = CiC2C:iCACsCsC7C(i 

is determined, where d = S^CB.). 1 < ^ ^ 8. It has length 32. The 
permulation P from T^ble 5.3 is applied to this string. The result .s 

5.2.4 S-bpxes 

J -w^ <: V^ovfts Si 1 < I < 8. They are the heart of DES 

SrvTin 4lir5.4.l3Ch is ^presented a «bU vrtth four 
Ja^Jand 16 cotamns. For each strmg B = b.bxi^b-b.s&s, -he vahie 
S W -imputed as follows. Ttie integer vrta binary «par».on ^b, 
?s ui^ as thVrow index. The integer with binary expansion b^hi^ 
a* *e column index. The entry of the S*ox m tin^ row and 
^ton i^tten in binary expansion. Hiis ^pansroT, rs padded 
^S,"^ng zeros that its length is four. The result « 6,(F). 
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